[v17] Add ClientIPRestrictions entitlement

api/proto/teleport/legacy/client/proto/authservice.proto

@@ -621,6 +621,8 @@ message Features {
   bytes CloudAnonymizationKey = 37 [(gogoproto.jsontag) = "cloud_anonymization_key,omitempty"];
   // AccessGraphDemoMode enables the ability to opt-in to a demo mode of Access Graph with limited features.
   bool AccessGraphDemoMode = 38 [(gogoproto.jsontag) = "access_graph_demo_mode,omitempty"];
+  // ClientIPRestrictions allows Cloud users to setup a client IP allowlist
+  bool ClientIPRestrictions = 39 [(gogoproto.jsontag) = "client_ip_restrictions,omitempty"];
 }
 
 // EntitlementInfo is the state and limits of a particular entitlement

entitlements/entitlements.go

@@ -53,13 +53,15 @@ const (
 	UsageReporting             EntitlementKind = "UsageReporting"
 	LicenseAutoUpdate          EntitlementKind = "LicenseAutoUpdate"
 	AccessGraphDemoMode        EntitlementKind = "AccessGraphDemoMode"
+	ClientIPRestrictions       EntitlementKind = "ClientIPRestrictions"
 )
 
 // AllEntitlements returns all Entitlements; should be 1:1 with the const declared above.
 var AllEntitlements = []EntitlementKind{
 	AccessLists, AccessMonitoring, AccessRequests, App, CloudAuditLogRetention, DB, Desktop, DeviceTrust,
 	ExternalAuditStorage, FeatureHiding, HSM, Identity, JoinActiveSessions, K8s, MobileDeviceManagement, OIDC, OktaSCIM,
 	OktaUserSync, Policy, SAML, SessionLocks, UnrestrictedManagedUpdates, UpsellAlert, UsageReporting, LicenseAutoUpdate, AccessGraphDemoMode,
+	ClientIPRestrictions,
 }
 
 // BackfillFeatures ensures entitlements are backwards compatible.

entitlements/entitlements_test.go

@@ -93,6 +93,7 @@ func TestBackfillFeatures(t *testing.T) {
 					string(LicenseAutoUpdate):          {Enabled: true},
 					string(AccessGraphDemoMode):        {Enabled: true},
 					string(UnrestrictedManagedUpdates): {Enabled: true},
+					string(ClientIPRestrictions):       {Enabled: true},
 				},
 			},
 			expected: map[string]*proto.EntitlementInfo{
@@ -122,6 +123,7 @@ func TestBackfillFeatures(t *testing.T) {
 				string(LicenseAutoUpdate):          {Enabled: true},
 				string(AccessGraphDemoMode):        {Enabled: true},
 				string(UnrestrictedManagedUpdates): {Enabled: true},
+				string(ClientIPRestrictions):       {Enabled: true},
 			},
 		},
 		{
@@ -200,6 +202,7 @@ func TestBackfillFeatures(t *testing.T) {
 				string(LicenseAutoUpdate):          {Enabled: false},
 				string(AccessGraphDemoMode):        {Enabled: false},
 				string(UnrestrictedManagedUpdates): {Enabled: false},
+				string(ClientIPRestrictions):       {Enabled: false},
 			},
 		},
 		{
@@ -275,6 +278,7 @@ func TestBackfillFeatures(t *testing.T) {
 				string(LicenseAutoUpdate):          {Enabled: false},
 				string(AccessGraphDemoMode):        {Enabled: false},
 				string(UnrestrictedManagedUpdates): {Enabled: false},
+				string(ClientIPRestrictions):       {Enabled: false},
 				// Identity off, fields false
 				string(Identity):     {Enabled: false},
 				string(SessionLocks): {Enabled: false},

lib/modules/modules_test.go

@@ -160,6 +160,7 @@ func TestFeatures_ToProto(t *testing.T) {
 			string(entitlements.LicenseAutoUpdate):          {Enabled: true},
 			string(entitlements.AccessGraphDemoMode):        {Enabled: true},
 			string(entitlements.UnrestrictedManagedUpdates): {Enabled: true},
+			string(entitlements.ClientIPRestrictions):       {Enabled: true},
 		},
 		//	 Legacy Fields; remove in v18
 		Kubernetes:             true,
@@ -237,6 +238,7 @@ func TestFeatures_ToProto(t *testing.T) {
 			entitlements.LicenseAutoUpdate:          {Enabled: true, Limit: 0},
 			entitlements.AccessGraphDemoMode:        {Enabled: true, Limit: 0},
 			entitlements.UnrestrictedManagedUpdates: {Enabled: true, Limit: 0},
+			entitlements.ClientIPRestrictions:       {Enabled: true, Limit: 0},
 		},
 	}
 

lib/web/apiserver_test.go

@@ -4987,6 +4987,7 @@ func TestGetWebConfig_WithEntitlements(t *testing.T) {
 			string(entitlements.LicenseAutoUpdate):          {Enabled: false},
 			string(entitlements.AccessGraphDemoMode):        {Enabled: false},
 			string(entitlements.UnrestrictedManagedUpdates): {Enabled: false},
+			string(entitlements.ClientIPRestrictions):       {Enabled: false},
 		},
 		TunnelPublicAddress:            "",
 		RecoveryCodesEnabled:           false,
@@ -5174,6 +5175,7 @@ func TestGetWebConfig_LegacyFeatureLimits(t *testing.T) {
 			string(entitlements.LicenseAutoUpdate):          {Enabled: false},
 			string(entitlements.AccessGraphDemoMode):        {Enabled: false},
 			string(entitlements.UnrestrictedManagedUpdates): {Enabled: false},
+			string(entitlements.ClientIPRestrictions):       {Enabled: false},
 		},
 		PlayableDatabaseProtocols:     player.SupportedDatabaseProtocols,
 		IsPolicyRoleVisualizerEnabled: true,
@@ -11173,6 +11175,7 @@ func Test_setEntitlementsWithLegacyLogic(t *testing.T) {
 					string(entitlements.LicenseAutoUpdate):          {Enabled: true, Limit: 99},
 					string(entitlements.AccessGraphDemoMode):        {Enabled: true, Limit: 99},
 					string(entitlements.UnrestrictedManagedUpdates): {Enabled: true, Limit: 99},
+					string(entitlements.ClientIPRestrictions):       {Enabled: true, Limit: 99},
 				},
 			},
 			expected: &webclient.WebConfig{
@@ -11237,6 +11240,7 @@ func Test_setEntitlementsWithLegacyLogic(t *testing.T) {
 					string(entitlements.LicenseAutoUpdate):          {Enabled: true, Limit: 99},
 					string(entitlements.AccessGraphDemoMode):        {Enabled: true, Limit: 99},
 					string(entitlements.UnrestrictedManagedUpdates): {Enabled: true, Limit: 99},
+					string(entitlements.ClientIPRestrictions):       {Enabled: true, Limit: 99},
 				},
 			},
 		},
@@ -11340,6 +11344,7 @@ func Test_setEntitlementsWithLegacyLogic(t *testing.T) {
 					string(entitlements.LicenseAutoUpdate):          {Enabled: false},
 					string(entitlements.AccessGraphDemoMode):        {Enabled: false},
 					string(entitlements.UnrestrictedManagedUpdates): {Enabled: false},
+					string(entitlements.ClientIPRestrictions):       {Enabled: false},
 
 					// set to equivalent legacy feature
 					string(entitlements.ExternalAuditStorage):   {Enabled: true},
@@ -11470,6 +11475,8 @@ func Test_setEntitlementsWithLegacyLogic(t *testing.T) {
 					string(entitlements.SAML):                       {Enabled: true},
 					string(entitlements.AccessGraphDemoMode):        {Enabled: false},
 					string(entitlements.UnrestrictedManagedUpdates): {Enabled: false},
+					string(entitlements.ClientIPRestrictions):       {Enabled: false},
+
 					// set to legacy feature "IsIGSEnabled"; false so set value and keep limits
 					string(entitlements.AccessLists):       {Enabled: true, Limit: 88},
 					string(entitlements.AccessMonitoring):  {Enabled: true, Limit: 88},
@@ -11581,6 +11588,7 @@ func Test_setEntitlementsWithLegacyLogic(t *testing.T) {
 					string(entitlements.LicenseAutoUpdate):          {Enabled: false},
 					string(entitlements.AccessGraphDemoMode):        {Enabled: false},
 					string(entitlements.UnrestrictedManagedUpdates): {Enabled: false},
+					string(entitlements.ClientIPRestrictions):       {Enabled: false},
 				},
 			},
 		},

web/packages/teleport/src/entitlement.ts

@@ -42,7 +42,8 @@ type entitlement =
   | 'SessionLocks'
   | 'UnrestrictedManagedUpdates'
   | 'UpsellAlert'
-  | 'UsageReporting';
+  | 'UsageReporting'
+  | 'ClientIPRestrictions';
 
 export const defaultEntitlements: Record<
   entitlement,
@@ -73,4 +74,5 @@ export const defaultEntitlements: Record<
   UnrestrictedManagedUpdates: { enabled: false, limit: 0 },
   UpsellAlert: { enabled: false, limit: 0 },
   UsageReporting: { enabled: false, limit: 0 },
+  ClientIPRestrictions: { enabled: false, limit: 0 },
 };